2 Replies

If a SPA wants to be issued an access token meant to be used in call to an API then it needs to specify those intentions (using the expected audience value) when doing the initial authentication/authorization request.

If you haven't done so already you should read the following documentation:

Hello Jmangelo, Thank you for your response. I understand that. But what happens in my application is that I will have multiple Apis being called by an user that will authenticate only once. Do I have to request a different access token for any one of them? And in that case, how can I implement that?

If all the API's are under your control you can consider if representing them as a single audience is a suitable alternative; see https://auth0.com/docs/api-auth/tutorials/represent-multiple-apis. Otherwise, you'll have to request an access token for each API, however, depending on the configuration it's possible to perform this additional requests without the user having to authenticate again so it would be transparent for the end-user.

+1. I'm currently stuck in the same situation. We currently are using the (now deprecated) delegation method to get tokens to use for multiple APIs from our SPA. However, after reading through the linked documentation, it seems like we're going to have to have a bunch of silent redirects if we want to talk with several backend APIs and not have the user go through an approval process for each one. More light on this situation would be very helpful.

Am I missing something where this is simple? For us, if we want to talk with 5 different APIs, then this means that we've got to redirect to 5 different screens to get approval. Under the old delegation method, we could just make AJAX calls and it would be invisible to the user. This is an extremely annoying thing if we have to go to 5 different UIs via redirects.

If all the API's are under your control you can consider if representing them as a single audience is a suitable alternative; see https://auth0.com/docs/api-auth/tutorials/represent-multiple-apis. Otherwise, you'll have to request an access token for each API, however, depending on the configuration it's possible to perform this additional requests without the user having to authenticate again so it would be transparent for the end-user.